Kernel 2.6.17 changed the source locations of several netfilter extension modules, and as a result, the iptables build process fails to detect their presence and build the shared libraries to use them.

Here's a script I wrote to fix iptables's extension tests for the new kernel:

#!/bin/sh
for each in .*-test ; do
  # if the test fails right now
  if ! [[ $(./${each}) ]] ; then
    # create a new test with a fixed path
    sed 's/\/ipv4\/netfilter\/ipt_/\/netfilter\/xt_/' ${each} > ${each}~
    # if the new test passes
    if [[ $(/bin/sh ./${each}~) ]] ; then
      # replace the old test with the new test
      mv ${each}~ ${each}
    else
      # delete the new test
      rm ${each}~
    fi
  fi
done

When run in the /var/tmp/portage/iptables-1.3.5-r4/work/iptables-1.3.5/extensions directory, that script will fix up the tests to detect the kernel extensions in their new locations.  Note, I didn't mess with the IPv6 tests.

Of course, it should only be run if the kernel version is 2.6.17 or greater!

It would be swell if someone could get this integrated into the iptables-1.3.5 ebuild, until a fix is made upstream.